Downloaded 1,306 times
More Related Content
![Essential Guide to Protect Your Data [Key Management Techniques]](https://cdn.slidesharecdn.com/ss_thumbnails/keymanagementtechniques-sisapresentationatgesconference-150514060435-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Intrusion Detection System(IDS)
![Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck](https://cdn.slidesharecdn.com/ss_thumbnails/ilovepdfmerged12-251029161756-3b829161-thumbnail.jpg?width=640&height=640&fit=bounds)
Intrusion Detection System(IDS)
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7. Classification of IDSWhatis IDS?Revolution in networking
- 8. The possibilities andopportunities are limitless.
- 9. Unfortunately, so tooare the risks and chances of malicious activities.Intrusion=Illegal entry or unwelcome addition
- 10. Definition: IntrusionDetection System (IDS) is a software to determine if a computer network or server has experienced an unauthorized intrusion.
- 11. IDS detects theseintrusion attempts so that action may be takento repair the damage later. IDS monitors network traffic and monitors for suspicious activity and alerts the system or network administrator.
- 12. The beginning(History)A USAFpaper published in October 1972 written by James P. Anderson outlined the fact the USAF had “become increasingly aware of computer security problems.”
- 13. Before designing anIDS, it was necessary to understand the types of threats and attacks that could be mounted against computers systems.A computer system should provide confidentiality, integrity and assuranceagainst denial of service.
- 14. Confidentiality:Whether the informationstored on a system is protected against unauthorized access.Need of IDS
- 15. Integrity: Whetherthe information stored on a system is reliable and can be trusted.Increased connectivity: (especially on the Internet) more and more systems are subject to attack by intruders.
- 16. These intruders attemptstry to exploit flaws in the OS as well as in application programs and have resulted in spectacular incidents.
- 17. Internet Worm incidentof 1988.Two ways to handle
- 18. we cannot preventintruders,we should at least try to detect it and prevent similar attacks in future.Types of intruders
- 19. Tasks to beperformedSimulationAnalysisNotification
- 21.
- 22. Network Intrusion detectionsystemDetect attacks as they happen
- 23. Real-time monitoringof networks
- 24. Provide informationabout attacks that have succeeded
- 25. Forensic analysisDeployingsensors at strategic locations
- 26. E.G., Packet sniffingvia tcpdump at routers
- 27.
- 28. Watch for violationsof protocols and unusual connection patterns
- 29.
- 30. Look into thedata portions of the packets for malicious command sequences
- 31. May be easilydefeated by encryptionData portions and some header information can be encryptedThe decryption engine still there.
- 32. Related Tools forNetwork IDS While not an element of Snort, Ethereal is the best open source GUI-based packet viewer
- 33.
- 34.
- 35.
- 36. Red Hat LinuxRPMs: ftp.ethereal.com/pub/ethereal/rpms
- 37. Requirements of NIDSHigh-speed,large volume monitoring
- 38. No packet filterdrops
- 39.
- 40. Mechanism separate frompolicy
- 41.
- 42.
- 43. Economy in resourceusage
- 44.
- 45. Resilience to attacksupon the IDS itself!Host Intrusion Detection SystemUsing OS auditing mechanisms
- 46. E.G., BSM onSolaris: logs all direct or indirect events generated by a user
- 47. strace for systemcalls made by a program
- 48.
- 49. E.G., Analyze shellcommandsMonitoring executions of system programs
- 50. E.G., Analyze systemcalls made by sendmail
- 51. A HIDS cansee more than just network traffic and can make decisions based on local settings, settings specific to an OS, and log data.
- 53. Signature based idsSnifftraffic on network
- 54. border router ormultiple sensors within a LAN
- 55. Match sniffed tracfficwith signatures
- 56. attack signatures indatabase
- 57. Signature: set ofrules pertaining to a typical intrusion activity
- 58. Simple example rule:any ICMP packet > 10,000 bytes
- 59. Example: more thanone thousand SYN packets to different ports on same host under a secondskilled security engineers research known attacks; put them in database
- 60. can configure IDSto exclude certain signatures; can modify signature parameters
- 61. Warn administrator whensignature matches.
- 62.
- 63. send message tonetwork management systemLimitations to signature detectionRequires previous knowledge of attack to generate accurate signature
- 64. Blind to unknownattacks
- 65. Signature bases aregetting larger
- 66. Every packet mustbe compared with each signature
- 67. IDS can getoverwhelmed with processing; can miss packetsAnomaly Detection IDSObserve traffic during normal operation
- 68. Create normal trafficprofile
- 69. Look for packetstreams that are statistically unusual
- 70. e.g., inordinate percentageof ICMP packet
- 71. or exponential growthin port scans/sweeps
- 72. Doesn’t rely onhaving previous knowledge of attack
- 73. Research topic insecurity